Why The OPM Breach Is Such a Security and Privacy Debacle

IF IT’S NOT already a maxim, it should be: Every big hack discovered will eventually prove to be more serious than first believed. That’s holding to be especially true with the recently disclosed hack of the federal Office of Personnel Management, the government’s human resources division.

At first, the government said the breach exposed the personal information of approximately four million people—information such as Social Security numbers, birthdates and addresses of current and former federal workers. Wrong.

It turns out the hackers, who are believed to be from China, also accessed so-called SF-86 forms, documents used for conducting background checks for worker security clearances. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant’s interactions with foreign nationals—information that could be used against those nationals in their own country.

What’s more, in initial media stories about the breach, the Department of Homeland Security had touted the government’s EINSTEIN detection program, suggesting it was responsible for uncovering the hack. Nope, also wrong.

Although reports are conflicting about how the OPM discovered the breach, it took investigators four months to uncover it, which means the EINSTEIN system failed. According to a statement from the OPM, the breach was found after administrators made upgrades to unspecified systems. But the Wall Street Journal reported today that the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product.

There are also some questions now about the number of people affected by the breach. Bloomberg and the Associated Press report that the figure may be closer to 14 million—affecting not only current and federal employees but also military, intelligence and government contractor staff going back to the 1980s. But others are disputing this.

As more information comes out about the kinds of information the hackers accessed, the repercussions could be much graver than anyone thought.

In its statements about the breach, including a phone recording played for any federal worker who calls seeking more information, the OPM has emphasized that it’s offering victims of the breach credit monitoring, a protection usually offered for financial breaches. It’s only confirmed that basic personal information was stolen, such as names, social security numbers, date and place of birth, and current and former addresses.

But in fact, the data accessed by the intruders may be far broader. The 127-page SF-86 forms believed to have been accessed by the hackers also includes financial information, detailed employment histories—with reasons for past terminations included—as well as criminal history, psychological records and information about past drug use.

Federal background checks, after all, are meant to suss out information that might be used by foreign enemies to blackmail a government staffer into turning over classified information. And that stolen information could be used for exactly that extortion purpose, says Chris Eng, a former NSA staffer and now VP of research at the security firm Veracode. If the breached background check information goes beyond the SF-86 form, it could even include detailed personal profiles obtained through polygraph tests, in which employees are asked to confess law breaking and sexual history. ”They write it all down and it goes into your file. If OPM had any of that stuff, it could be super damaging. You’d know exactly who to go after, who to blackmail,” Eng says. “It could be very damaging from a counterintelligence and national security standpoint.”

There’s another concern even beyond that blackmail risk. SF-86 forms can include a list of foreign contacts with whom a worker has come in contact. Diplomats and other workers with access to classified information are required—depending on their job—to provide a list of these contacts. There is concern that if the Chinese government got hold of lists containing the names of Chinese nationals who had been in touch with US government workers, this could be used to blackmail or punish them if they had been secretive about the contact.